1. Field of the Invention
The present invention relates to the protection of an integrated circuit chip against laser attacks.
2. Discussion of the Related Art
FIG. 1 is a simplified cross-section view of an integrated circuit chip 1 formed inside and on top of a semiconductor substrate 3. Substrate 3 comprises, in its upper portion, an active layer 5, presently an epitaxial layer, in which are formed electronic components, not shown. Presently, active layer 5 is covered with a stack of insulating layers 7 and of conductive interconnect tracks 9. Several successive interconnect levels are generally provided. Conductive vias, not shown, cross the insulating layers to connect the conductive tracks together, to input-output terminals 11 of the chip, and to components of active layer 5, thus forming the circuit interconnections.
In certain devices, for example, secure components such as payment cards, regions of active area 5 are capable of processing and/or of storing critical data, for example, ciphering keys. Such devices may undergo a tampering aiming at obtaining protected confidential data.
Among known attacks, so-called “fault attacks” comprise deliberately disturbing the operation of a chip, and analyzing the influence of disturbances on its operation. The attacker especially studies the influence of disturbances on data such as output signals, the consumption, or response times. He is likely to deduce therefrom, by statistic studies or others, critical data such as the algorithms used and, possibly, ciphering keys.
To deliberately cause faults in the circuits of a chip, an attack mode comprises bombarding local areas of the chip with a laser beam. Fault can thus be injected into certain memory cells and/or the behavior of certain components may be altered. It should be noted that in a laser attack, the chip needs to be powered.
Due to the presence of the metal interconnect tracks on the front surface side of the substrate, laser attacks are, in many cases, performed on the back side of the chip. Indeed, on the front surface side, the probability for a laser beam to reach a component through the tangle of metal tracks is close to zero. Further, the attacker cannot afford to remove the interconnect levels since this would make the chip inoperative and impossible to analyze.
FIG. 2 is a simplified cross-section view of chip 1 illustrating a preliminary thinning-down step of substrate 3, frequently implemented before a back-side laser attack. Such a step improves the efficiency of the laser attack by reducing the beam attenuation by the substrate. To make the components of active region 5 accessible to the laser beam, the attacker needs to remove a portion of the thickness of substrate 3 from its lower surface or back side. As an example, a chip formed from a substrate having a 180-μm thickness will undergo a thickness decrease on the order of 130 μm before a laser attack.
To be protected against frauds, an attack detection device, coupled to a protection circuit, is generally provided in secure chips. When an attack is detected, the protection circuit implements measures of protection, alienation, or destruction of the critical data. For example, it may be provided, when an attack is detected, to interrupt the power supply of the chip or to reset the chip, to reduce the time during which the attacker may examine the chip response to a disturbance.
Attack detection solutions may be logical. They, for example, comprise regularly introducing, into the calculations, integrity tests enabling to make sure that the data are not being modified. Such solutions have the disadvantage of introducing additional calculation steps, thus increasing the chip response times. Further, integrity tests may not detect all the disturbances caused by an attacker. The latter thus has some room for maneuver that can enable him to acquire critical data.
Other so-called physical attack detection solutions especially comprise sensors sensitive to temperature variations, to ultraviolet rays, or to X rays, enabling to detect suspicious activities. Like logic solutions, such solutions are not perfectly reliable. Indeed, before the attack is detected, the attacker has room for maneuver to obtain critical data. Further, the implementation of such solutions is complex and increases the silicon surface area necessary to form the chip.